Extension talk:Fail2banlog

Latest comment: 4 years ago by Kghbln

Typo in filter.

edit

The mediawiki filter in .etc.fail2ban/filter.d , regex has a typo in it

  Authuntification error .*  should read Authentication error

so fail2ban can get the correct regex and ban the IP

Thanks, the translation from french was quick --LaurentChouraki 07:25, 24 May 2008 (UTC)Reply

Whitelisting IPs

edit

How could I roll back a banned ip? Is there a whitelist of ip addreses I can create while configuring this plugin on my wiki?

-Thanks 68.175.25.58 18:02, 6 June 2008 (UTC)Reply

You can configure it in Fail2Ban (whitelist). Fail2ban add rules to your firewall, you can remove the rules using your firewall administration software. (depend of your firewall)
--LaurentChouraki 20:11, 6 June 2008 (UTC)Reply

Log bad user name too?

edit

The extension works well to log the case when a valid username with an invalid password is entered. Could it be expanded to also log the case where an invalid username is entered? That would allow fail2ban to prevent a brute-force attack to determine valid usernames.

Not as easy as it look. The hook is only invoked for known users. If you need more security, you may use one of the many external authentication methods supported my mediawiki.
--LaurentChouraki 21:47, 12 February 2009 (UTC)Reply

file name

edit

my fail2ban only accepts this solution if the file is called mediawiki.conf and not just "mediawiki" as proposed in the text. Anybody else observe that? Greetings --Hannes Röst 15:24, 22 July 2010 (UTC)Reply

I checked my config... it has the .conf, I will correct the extension page. Laurent.

What is blocked?

edit

The opening paragraph says:

... so you can block bruteforce attacks at the firewall level.

The intro is a little lite on details. What exactly is blocked and when?

Will the extension help with:

# cat /var/log/httpd24/access_log | grep -E 'Penis|Health|Diet|Fat|Muscle'
...
185.145.38.219 - - [19/Apr/2020:10:38:05 -0400] "GET /w/index.php?title=Special:CreateAccount&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3268
185.145.38.219 - - [19/Apr/2020:10:38:07 -0400] "GET /w/index.php?title=Special:UserLogin&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3879
185.145.38.219 - - [19/Apr/2020:10:38:08 -0400] "GET /w/index.php?title=Special:UserLogin&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue&type=signup HTTP/1.1" 302 20
185.145.38.219 - - [19/Apr/2020:10:38:09 -0400] "GET /w/index.php?title=Special:CreateAccount&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3268
...

We are literally experiencing thousands of these kind of attacks per hour, and it is driving our cpu usage over 80%. Apparently it is costly to service this spam (as opposed to serving a real wiki article).

100.18.0.145 01:32, 25 April 2020 (UTC)Reply

As I understood this the extension itself does not block anything. It provides a log what can be used by fail2ban to do it's work. --[[kgh]] (talk) 15:09, 25 April 2020 (UTC)Reply
Return to "Fail2banlog" page.